Friday, April 29, 2011

Small Businesses = Excellent Target

Reading this article describing actual unauthorized bank account transfers to oversees accounts reminds me of the size of the pink elephant in the room. Large organizations can incur the expense of security specific IT staff. Bigger orgs are more likely to also understand the business risk of Incidents. Not so for the little guy.
From the article:

The alert said the unauthorized wires range in value from $50,000 to $985,000. While most transfers tend to be toward the upper end of that spectrum, “the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers were under $500,000.” In addition, the attackers initiated fraudulent automated clearing house (ACH) transfers to money mules in the United States within minutes of conducting the overseas wire transfers.

I have a friend that is part owner in a computer consulting company. We discuss security things. He gets it. Sadly, that's where it stops. To successfully integrate security services into offerings to clients they want to see direct and tangible returns for the investment. Their only line of defense is some sort of packet filtering and AV on the hosts. Uhhhg. Sooo far to go still to pull heads out of the 90s.

His clients generally are small to the small-end-of-mid-sized businesses that watch their overhead quite closely. With their budgets for IT they buy services and systems that directly support or make doing business possible. If any customers have their own IT staff I'd be surprised. They rely on his (or his employee's) consulting to get things done.

From a business perspective, it is _almost_ understandable. Your limited cash resources force you to make decisions about where to spend. You pay your employees that directly contribute to generating income. You buy stuff that does the same. Outsource the remaining things. Pricing your products and services to support extra overhead at times can damage your ability to compete in your business' target market. Ya gotta get money to pay for "security" somewhere.

Considering that the risk that someone can drain your bank account has been increasing because the business model around taking your cash is working, shouldn't we change our thinking and habits? What small business can withstand the sudden loss of even $50,000? Certainly not mine!

So, what have we learned? Your intrusion into a US small business will likely go unnoticed unless you blatantly pull some jackassery like disrupting business service. You can easily remain persistent and gather intelligence simply by avoiding AV detection and common egress-filtered ports. Your tracks will likely be erased (horribly trampled on at a minimum) by consultants and business decisions with a priority of restoring service rather than investigating why something failed.

Kinda makes one wonder where the threshold for "noticeable" electronic banking transfers may lie...